Skip to content

v0.32.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 17 May 17:18
· 57 commits to main since this release
v0.32.0
efe377a
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Breaking: OAuth Token Credential Sources Restructured

The oauth_token transform now takes a discrete secret source per credential field instead of a single JSON blob. The previous blob shape was only compatible with Google's authorized_user file format; every other provider required hand-assembling credentials into that shape and storing them as a synthetic secret. token_endpoint is now required on all grants.

jwt_bearer has been removed from oauth_token. It consumed a Google service-account keyfile and duplicated the gcp_auth transform. gcp_auth gains a subject field for Workspace domain-wide delegation so no capability is lost. oauth_token is now a standard RFC 6749 implementation with no vendor coupling.

The oauth_token transform is marked experimental while the API stabilizes.

This is a breaking config change for existing oauth_token users. Update your config to use per-field secret sources and migrate any jwt_bearer grants to gcp_auth:

# Before
- name: oauth_token
  config:
    tokens:
      - grant: refresh_token
        credential:
          type: 1password_connect
          secret_ref: "op://Engineering/GSUITE-OAUTH/credential"
        token_endpoint: "https://oauth2.googleapis.com/token"
        scopes:
          - "https://www.googleapis.com/auth/gmail.readonly"
        rules:
          - host: "gmail.googleapis.com"

# After
- name: oauth_token
  config:
    tokens:
      - grant: refresh_token
        refresh_token:
          type: 1password_connect
          secret_ref: "op://Engineering/GSUITE-OAUTH/refresh-token"
        client_id:
          type: env
          var: GSUITE_OAUTH_CLIENT_ID
        client_secret:        # omit for public (PKCE) clients
          type: 1password_connect
          secret_ref: "op://Engineering/GSUITE-OAUTH/client-secret"
        token_endpoint: "https://oauth2.googleapis.com/token"
        scopes:
          - "https://www.googleapis.com/auth/gmail.readonly"
        rules:
          - host: "gmail.googleapis.com"

New: json_key Available on All Secret Sources

json_key extraction is now available on every secret source (previously limited to aws_sm and aws_ssm). It is applied centrally in resolveSource, so any JSON-structured secret can have individual fields extracted by key, regardless of which backend stores it. This pairs naturally with the new per-field credential sources:

# Pull client_id and client_secret out of one JSON secret in AWS Secrets Manager
- grant: client_credentials
  client_id:
    type: aws_sm
    secret_id: "arn:aws:secretsmanager:us-east-1:123:secret:oauth"
    json_key: "client_id"
  client_secret:
    type: aws_sm
    secret_id: "arn:aws:secretsmanager:us-east-1:123:secret:oauth"
    json_key: "client_secret"
  token_endpoint: "https://login.example.com/oauth2/token"
  rules:
    - host: "api.example.com"

Changelog

  • efe377a refactor(oauth): discrete credential sources, drop jwt_bearer (#122)
Assets 8
Loading